Krebs on Security

In-depth security news and investigation

Critical Java Update Fixes 20 Flaws

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

If you use Java, take some time to update the program now. According to a report released this month by Microsoft, the most commonly observed exploits in the first half of 2011 were those targeting Java flaws. The report also notes that Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.

Don’t know if you have Java? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. A majority of folks who have Java installed will have some update of Java 6; this latest patch brings Java 6 to Update 29. Java also has released a major revision to Java 7 (the vulnerabilities fixed in Java 6 Update 29 are available in Java 7 Update 1). It’s not clear whether Java 7 is more for regular users or for developers at this point, because the Free Java Download link at java.com still takes users to Version 6 Update 29.

Microsoft Windows users can update Java from the Java icon in the Windows Control Panel, and then clicking the “Update Now” button on the Update tab.

I’ve urged readers who have no use for Java to get rid of the program, but there is another way to keep it around while reducing the likelihood that the software will be targeted by malicious Web sites: unplug it from the browser. In Mozilla, Java can be toggled on or off via the plugins menu of the Add-ons page. In Internet Explorer, Java can be disabled via the “Manage Add-ons” option.

Finally, Windows users may find more than one Java version in the Add/Remove Programs list in the Control Panel. Older Java 6 versions can be safely removed after updating. The updater in Java 6 was long ago tweaked to remove older versions of Java before installing an update, but if you’ve already upgraded to Java 7, be aware that it does not remove Java 6 versions.

This entry was posted on Thursday, October 20th, 2011 at 10:10 am and is filed under Time to Patch.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

29 comments

Is there a recommended way to get Java to automatically and silently update without user intervention? I grow tired of depending on users to actually take the time to update Java and it is needed for our remote software solution.

Java itself has an auto-update component. You can see in the “Control Panel -> Java -> Update” Tab on Windows. I think that by default, it checks once a month. That may vary based on the version you initially install.

Once a month is nowhere near often enough, unfortunately, given how frequently Java needs to be patched.

I also don’t have the choice of using apps that require it on my job, nor of having much less tech-savvy coworkers using those apps. Since they don’t know what “Java” is, they aren’t sure if they should permit updates or if it’s some kind of scareware. It’s a pain.

There is a way to auto update, java’s auto update will download the update but the user still has to install it.
Secunia Personal Software Inspector (PSI) is free software that can be set to auto update and auto install Java and a host of other programs.http://secunia.com/vulnerability_scanning/personal/

I can’t attest to java specifically, but I quite often get a pop-up from Secunia PSI saying that a version change to one application or another has been patched. This is on the standard account side of Vista x64.

When I check my CCleaner console, the new version is indeed already installed. I’m sure it probably doesn’t work for everything, but I’m very happy with this performance none-the-less.

If for no other reason than seeing the color of the systray icon change from green to red or yellow; with a warning that something is past support(end of life, etc.); it is well worth the alerts, so immediate action can be taken. This lowers the threat profile quite a bit for zero day exploits.

Same here; and I have at least one application that relies on it. I let File Hippo Update Checker or Secunia PSI let me know when to update. Sometimes FH update checker beats the regular updater. Not this time however. They alerted I and my clients at the same time this go around.

Not long ago they were so obtrusive they installed all the way to the Control Panel! It took Revo Uninstaller to get rid of the tentacles Ask put into the system. Anything that nasty just doesn’t deserve to exist in my book.

The free version of Ninite automatically says “No” to toolbars and other junk. However, unlike Ninite Pro, which Big Geek Daddy mentioned above, you have to manually run the app periodically. I run it every morning and it usually takes less than a minute.

It’s not just some websites that may require Java. The Openoffice Suite which I suppose is now supported by Oracle indicates it requires Java, but I’ve never installed Java and Writer and Calc, the only apps I used, worked just fine without it. So if you use Openoffice I would say try it without Java. And if you find some of the Openoffice apps need it, read and heedd the words of Brian to make sure you’re up to date.

For people who may be new to computer maintenance; this would not prevent JavaScript exploitation; but of course turning off java in the browser controls would prevent that avenue. Another post already mentions No-script, another good way to block that attack vector, in Mozilla FireFox, at least.

I saw a remark from a security researcher that Java 7 has finally got comprehensive ASLR support. If you have to have Java installed, switch from the 6 family to 7. And I’d also use Microsoft EMET to throw its own anti-exploit protections around Java as well.